On Jun 27, 2014, at 4:19 PM, Monica Chew <[email protected]> wrote: > ----- Original Message ----- >> >> >> ----- Original Message ----- >>> 60 seconds is still a large enough window for some users to be >>> affected by DNS changes, right? We're just looking for a reason why >>> fxa might be more affected than our other properties, and "it's the >>> only service with such frequent DNS changes" seems like a decent one. >> >> No matter how small you set a window, there will always be someone in it :-) >> >> Combine that with the fact that there are always resolvers in between clients >> and our nameservers that can and will mess with things and can have their >> own ideas about TTLs. It is less common these days but it still happens. >> >> Do we have a page that explains the pinning we do? > > https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning > https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning/SiteOperators > >> Maybe for IP changes we need we different strategy? Like keeping the old IP >> alive for a longer time? Or pin to multiple IPs during changes? > > Pinning doesn't have anything to do with IPs directly. It's just a way to > assert that the site uses certificates issued by root CA X. If DNS is > pointing to the wrong IP, then there are bigger problems. At this point we > could either >
It could just be that a user is caught in the TTL window after a switch and the IP has already been assigned to another TLS endpoint. This would cause a pin failure. The client *could* use a pin failure as a signal to flush the DNS cache and try again. I think we hold on to these IPs for a bit after we switch to new ones, so I’m confused how this is still happening though. -chris > 1) Broaden the pinset (only makes sense if we think it is incorrect), or > 2) Turn it on and wait for bugs to flow in. > 3) Continue waiting an unbounded amount of time for SSL error reporting to be > finished to diagnose the problem further. > > I don't think 1) makes sense. > > Thanks, > Monica
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
